Email-borne attacks hit energy and utilities harder than most other sectors

Email-borne attacks hit energy and utilities harder than most other sectors

Posted by HSSL Technologies on Nov 1st 2023

The energy and utilities industry is part of the world’s critical infrastructure. Without reliable access to electricity, natural gas, renewables, water supplies, and more, many things we rely on will grind to a halt with potentially devasting consequences for companies, economies, geopolitical stability, and even human life.

The expanding attack surface

The energy and utilities industry increasingly relies on digital technologies to manage and integrate complex distributed operations and remote sites, such as wind farms, power plants, and grids. The resulting web of Internet of Things (IoT) systems increases the attack surface that cyberattackers can target — especially where they interface with under protected legacy infrastructure.

Successful cyberattacks against energy and utilities companies are high profile. Examples include the May 2021 ransomware attack against Colonial Pipeline, the largest U.S. fuel pipeline. The attack led to a $4.4 million ransom payment, fuel shortages, and panic buying among motorists. Then in April 2022, three wind-energy companies in Germany were they hit with cyberattacks that disabled thousands of digitally managed wind turbines. In December of the same year, CNN reported that attackers had stolen data belonging to multiple electric utilities in a ransomware attack on a U.S. government contractor that handles critical infrastructure projects across the country.

Understanding and addressing the cyberrisks facing the energy and utilities industry is a global priority. A good place to start is with email-based risk. Email remains a primary attack vector with a high rate of success that is a common entry point for many other cyberattacks.

Energy and utilities companies are among the most likely to suffer an email security breach — and the most likely to experience employee productivity loss afterwards

Recent international research undertaken among mid-sized companies found that, during 2022, 81% of respondents from the “Energy, Oil & Gas, and Utilities” sector had experienced an email security breach. The all-industry total was 75%.

Of all the industries surveyed, this sector was the most impacted by loss of employee productivity, with more than half (52%) of respondents listing this as an after-effect of the attack — compared to just 38% overall. The productivity drop is likely linked to the fact that 48% had more than half their workforce working remotely, out in the field, and these employees would be unable to work during downtime.

An above average proportion of respondents in this industry (50%) mentioned the damaging impact of email security breaches on brand reputation. As a highly regulated and competitive critical infrastructure with a broad end user base — including consumers — a security incident may touch many people, damage customer relationships, and lead to negative stories about fines or compliance breaches, none of which will reflect well on the brand.

The energy and utilities industry was the least likely to feel that the cost of recovery was a significant impact, with just 22% listing this as an effect compared to 31% overall. However, the research also found that actual recovery costs were among the highest.

The average cost of the most expensive attack for this industry in 2022 — $1,316,190 — was the third highest and compares with an all-industry figure of $1,033,066. The high cost of recovering from the impact of an attack for this industry is likely to reflect the dispersed location of digital assets and employees — just under half (48%) work remotely — and any financial penalties incurred.

56% of those affected by ransomware were hit twice or more — more than any other industry

The above-average proportion of organizations experiencing a successful email security breach makes it almost inevitable that the proportion of companies hit with other attacks, including ransomware is also relatively high.

In fact, 85% of respondents in this industry had been hit with ransomware, compared to 75% overall — and the sector was also the most likely to be hit with repeat attacks.

56% of respondents in this sector reported two or more successful ransomware incidents, compared to an overall figure of 38%. This suggests that attacks are not always completely neutralized or that security gaps are not always identified and addressed after the initial incident.

The good news is that nearly two-thirds (62%) were able to restore encrypted data using backups, compared to 52% overall, although 31% paid the ransom to recover their data.

Energy and utilities companies are the most likely to fall victim to a highly targeted, spear-phishing attack

Nearly three-quarters of respondents (73%) in this sector were hit with a successful spear-phishing attack in 2022, compared to 50% overall, making energy and utilities the most affected sector for spear phishing by a considerable margin.

The organizations that had fallen prey to spear phishing reported impacts that were also seen in other industries but rarely to the same extent. 64% said that computers or other machines had been infected with malware or viruses a—compared to 55% overall; while 62% said that confidential or sensitive data had been stolen — compared to 49% overall. Reputational damage again seems to have been a notable effect for this sector, referenced by 45%. This is higher than any other industry and compares with an all-industry total of 37%. Just 37% reported having virus and malware filters in place compared to an overall total of 47%.

The sector is not fully equipped to tackle basic threats — and less likely to feel a lot more secure than last year

More than many other industries, energy and utilities companies felt underprepared to deal with relatively basic threats, including viruses and malware — with 46% putting this on the list compared to an all-industry total of 34%. Similarly, 39% in this sector felt underprepared to deal with spam, compared to 28% overall), and 32% listed phishing, compared to 26% overall.

This is a concerning result in view of the volume of cyberthreats successfully targeting this sector. It may in part reflect the fact that this sector reports lower than average investment in many security technologies, including email authentication, computer-based security awareness training, Zero Trust Access controls, URL protection, account takeover and dedicated spear-phishing protection, automated incident response, and more.

It is not surprising to find that the results also show just 26% feels “a lot” more secure than they did in the previous year — compared to 34% overall.

It is not surprising to find that the results also show just 26% feels “a lot” more secure than they did in the previous year — compared to 34% overall.

It takes around 4 days to detect and remediate an email security incident

The research shows that it takes energy and utilities companies slightly longer than many other sectors to spot an email security incident — 51 hours on average, compared to 43 overall. They were faster than most when it came to responding to and remediating the incident, though, — taking 42 hours on average, compared to 56 overall.

According to respondents in this sector, the biggest obstacles to fast response and mitigation were a lack of automation, cited by 46%, compared to an all-industry total of 38%; and a lack of visibility, cited by 40%, compared to 29% overall.

This is a sector where digital technologies and innovation are being developed and implemented at speed and then plugged into ageing, undersecured legacy systems. So it is not surprising that a lack of visibility across the IT estate ,and incomplete security automation, represent significant barriers to integrated security.

Securing critical infrastructure industries

Email-based cyberattacks are widespread, ever-evolving — and persistently successful.

The research reveals the extent to which the energy and utilities sector is under attack and the significant cost and impact of a successful breach.

Organizations in this sector need security solutions that are easy to implement, run and manage, Automated protection technologies will make a real difference, especially as many respondents say they are lacking even basic protection against malware and viruses. This could mean that they haven’t activated or correctly configured the built-in filters that generally come as standard with most enterprise email solutions.

A regular review, audit or health check of the organization’s security posture is critical – and should bring to light any tools that are already in place but not functioning properly.

The survey was conducted for Barracuda by independent research firm Vanson Bourne and questioned IT professionals from frontline to the most senior roles in companies with 100 to 2,500 employees, across a range of industries in the U.S. and EMEA and APAC countries. The sample included 129 companies in Energy, Oil & Gas, and Utilities.